I am working on a platform where multiple (several dozens, dispersed) headless raspberry pi devices acquire periodic images in a remote location (no internet). I am now developing a mobile app to retrieve, wirelessly, the images through an ad-hoc wifi (or wifi-direct) network, when the user visits/maintains the raspberry pi. Multiple raspberry pis might be simultaneously "harvested" this way.
At the moment, each raspberry pi runs its own http server (discoverable through Bonjour/avahi), and this http server exposes images for download. I like/picked the http option as it allows me to communicate arbitrary data/instructions from/to the devices.
At the moment, I use the network discovery service/listener in the android API to get the IP addresses of the detected devices on the network. Then, I simply use an http client to communicate. Importantly, I modified the manifest.xml to allow for cleartext http. However, my understanding is that, for production apps, android forbids (or strongly recommend against) cleartext traffic (and enforces https). Therefore, unless I change my platform's architecture, I would need to use https.
What would be the best way to implement https given such architecture?
Note that, the raspberry pis are built once for all. The first time they boot, they self configure (which I could use to generate certificates). However, I am unsure how I could reasonably trust devices that are yet unknown to the android.
Many thanks for your ideas and feedback,
